in coding

Nokiana: the one about the CIA, Syria, and the N95

Matt Kane resurfaced on Bristol‘s underscore mailing list  with this intriguing snippet, after some travels around the middle-east: ” … discovered N95s (not mine) cannot be taken into Syria”.

I asked for the backstory, which goes like this:

Quite a palaver. Got the train from Istanbul to Syria (amazing trip!). At the border they didn’t search the bags of “westerners” but asked us all to show our phones and cameras. They glanced at them all quickly, checking the brand (“Nikon, ok. SonyEricsson, ok”). One guy had an N95 and they led him off the train. His sister informed us that they’d said it wasn’t allowed in Syria, and that if she knew her brother he’d not give it up without a fight. Despite being on contract, he argued with them for an hour and a half, even calling the embassies in Damascus and Ankara. In the end he gave it up, with a promise that they’d send it on to the airport from where he was leaving. A few days later we’re chatting with a barman and spot his phone – an N95, and yes, he got it in Syria! A few days after that we found out the full story from our hotel owner in Damascus. Apparently the CIA gave a load of bugged N95s to high-ranking Kurdish officials in Iraq, many of which were then smuggled into Syria and given as gifts to various shady characters. After the Hezbollah guy was assassinated in Damascus a few months ago, the Syrians set about trying to root out spies, which led to this ban on bringing N95s into the country. Apparently.

This is the first I’ve heard of it, but searching throws up a few references to rigged N95s as “spy phones”.

Somewhat-unrelated aside: I don’t believe the relevant functionality is exposed in the N95’s widget APIs yet. I had trouble making it vibrate, let alone self-destruct after this message. But at least widget/gadget/app security is getting some attention lately. It can’t be too long before “spy widgets” on your phone become a real concern, particularly since the exposure of phone APIs to 3rd party apps is such a creative combination. I should be clear that AFAIK, Nokia’s N95 widget platform is free of such vulnerabilities currently, and any “spy phone” mischief so far has been achieved through other kinds of interference. But it does make me glad to see a Widgets 1.0: Digital Signature spec moving along at W3C…

Add Comment Register



  1. Why would widget security be more important than that of applications you download on your phone? The iPhone will have digitally signed applications, but Nokia doesn’t? I’m also happy to see W3C adding a security spec to the widgets bunch, but manufacturers worried about third-party security should secure applications before widgets.

  2. @maxf Oh, download apps are important too of course. I just expect people to be a lot more casual and prolific in the widget space, than they are with installing full-access software on the phone. Just as we run a lot of javascript, Flash and Java applets browsing around the Web each day, even if we only install new desktop apps a few times monthly.

    @tlr thanks, I’d seen some of your widget security stuff (linked above actually) but not these. Both really nice sets of slides. It was just these kinds of vulnerability I was thinking about when I pondered the N95 situation.

    My newly updated N95 can have HTML/.js-based widgets on it now, merely by beaming it or texting a zip file. And we’re being trained to see these (not by Nokia, but in general) things as somehow more secure and sandboxed than full-featured desktop apps. That seems possible but far from guaranteed.

    I am btw a little worried re the Nokia widget platform, in that it seems that updates come as part of the phone OS, which is (I hope) not a frequent thing since it blanks the device. Maybe they’ll come up with a way for it to be improved without requiring that…

  3. Oh, just found this:

    http://www.informationweek.com/blog/main/archives/2008/04/nokia_gives_wid.html

    Posted by Eric Zeman, Apr 24, 2008 03:05 PM

    [[
    Nokia explains in a press release, "For example, a weather widget can now access the user's current location via the built-in GPS and in just a moment display the latest weather forecasts for that location." This means you won't have to update your phone to let it know where you are before getting the right weather report. After all, if you've just landed in San Francisco, the weather report for New York City isn't going to help you out very much.

    "The flight tracker widget fetches the user's itinerary from the airline's Web site, saves it to the mobile device's calendar, and sets a reminder," said Nokia. "A few hours prior to the travel time, the widget automatically checks for the flight status by getting the flight details from the calendar."

    I think you get the idea. The widgets will be able to access S60's numerous applications and services, such as calendar, contacts, GPS, messaging, audio, and video. As long as developers have the wherewithal to write good widgets, our phones will become even more powerful than ever.
    ]]

    Why evesdrop on people’s audio when you can just steal their contacts list and calendar? Spy Phones 2.0…

    (sometimes data doesn’t want to be portable!)